CMMC Compliance Checklist

3 Min Read
There are no headings in this document.
CMMC Compliance Checklist

The U.S. Congress has recently set new requirements (CMMC) for companies with the Department of Defense (DOD). The company must now report any security breach in their networks to the Department of Homeland Security and be CMMC compliant.

That is an interesting move, as we have all heard of the breaches in many big business networks, which result in the theft of the personal information of millions of users. The policy change is because it is much easier to get to the source of the breach as opposed to the compromised information itself.

The DOD has recently had a spate of network security breaches that have compromised the information of individuals but not the data itself.

The recent case of the Department of Justice (DOJ) and the FBI also highlights that the FBI has access to any information stored in the cloud. This is one more reason why it is critical for companies to keep an eye on the security of their networks.

Ready to dive in?
Start Your Free Trial Today

What is the CMMC compliance?

CMMC (Cybersecurity Maturity Model Certification) was first published in 2020; CMMC will slowly be implemented over the coming five years. CMMC will be a core part of all future bidding processes for DoD contracts.

CMMC Compliance Checklist

Access Control

Create user rules of access to all internal networks and systems with a detailed up to date list of users and their privileges within the system.

Asset Management

Know what hardware, software, other technologies have access to the system. Create and document processes from daily backups to disposal of old equipment and destruction of stored data

Audit and Accountability

Track, log and timestamp user access, actions and information contact to CUI assets.

Training and Awareness

Cybersecurity training must be included in all levels of training incorporating how the employee interacts with the CUI data within their role.

Configuration Management

Map all devices and systems which uses and process CUI data.

Identification and Authentication

Unique identification of all users, devices, and every process.

Strong user identification process with a minimum complexity of passwords.

Incident Response

Plan of action for incidents, to detect and contain threats to data


Everything needs maintenance. Create a schedule for systems, hardware, and devices maintenance.

Document system updates and patches to software, hardware, and firmware.

Media Protection

Track all media containing sensitive data and manage the destruction.

Personnel Security

Carry out comprehensive background checks during hiring process.

Physical Protection

Restricted access to the building and all servers. Maintain a detailed list of employees with their access areas.


System backup schedules and test environments.

Risk Management

Risk management plan. Scan systems and networks for vulnerabilities and risks.

Security Assessment

Security audit to identify new vulnerabilities and emerging threats.

Situational Awareness

Establish processes to identify new risks and threats to the system.

Track external cybersecurity threats

System and Communications Protection

Define network boundaries, especially with the use of cloud-based systems.

Monitor end-point security.

Information and System Integrity

Up-to-date and patched components and software. Schedule regular updates.

CMMC Levels Certification

There are a number of different levels of compliance. Identify data you will need to use within the contract as it can require different types of compliance.

The National Institute of Standards and Technology (NIST) established NIST 800-172 & NIST 800-171 enhanced security requirements for protecting data government data and incorporated them as part of the certificate.

FCI Federal Contract Information – Data not ever intended for general or public release. You will require CMMC 5 levels certification.

CUI Controlled Unclassified Information – Data is sensitive but not classified. You will require CMMC 3 Levels certification.

  • CMMC Level 1 – Store federal contact data
  • CMMC Level 2 – Basic level security required to store and process CUI
  • CMMC Level 3 – Controlled Unclassified Information (CUI)
  • CMMC Level 4 –
  • CMMC Level 5 (Highest Level) – Storing extremely sensitive or classified data

Frequently asked questions
Looking for more info? Here are some things we're commonly asked
  • Why is a Checklist Important?

    Does the running of your business include several repetitive tasks? If there’s no guidance or procedure in place, it’s possible for some of the steps in the process to get forgotten. This is why checklists are important.

    People get distracted, and when something gets forgotten, it’s much harder to recover than if they’d completed the task right in the first place.

    Guidance every step of the way makes sure something is completed perfectly every time.

    Read More: Why is a Checklist Important?

  • Checklist To Reduce Mistakes

    We all carry enormous knowledge and experience that we want to apply effectively, but we are all prone to make mistakes. There’s only so much we can store in our heads without forgetting something. How to maximise our use of knowledge?

    The simple answer to this problem is to use checklists.

    Read More:  Power Of A Simple Checklist To Reduce Mistakes

  • What types of checklist are there?

    How many types of checklists are there? Two. What are the two types of checklists? Read-Do and Do-Confirm checklists are about how you use checklists.

    Read More: Types of checklist: What are the two most powerful Checklist Types?

  • Checklist Software

    A checklist is a way to document each step needed to complete a task. A detailed set of instructions, a guide of how something is done. 

    Checklist software allows you to document every step of a process to be used over and over again.

    Read More: Checklist Software

Yep, like every other website we also use
delicious cookies to track you.